Show Notes
Overview
First episode of 2019! This week we look “System Down” in systemd, as well as updates for the Linux kernel, GnuPG, PolicyKit and more, and discuss a recent cache-side channel attack using the mincore() system call.
This week in Ubuntu Security Updates
51 unique CVEs addressed across the supported Ubuntu releases.
- Kernel updates as part of normal 3-weekly SRU cycle - includes various fixes across the supported releases
- CVE-2018-18710 (Cosmic, Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)
- CVE-2018-18690 (Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)
- CVE-2018-18445 (Bionic, Bionic HWE)
- CVE-2018-16276 (Bionic, Bionic HWE)
- CVE-2018-14734 (Bionic, Bionic HWE)
- CVE-2018-12896 (Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)
- CVE-2017-18174 (Xenial, Xenial HWE)
- CVE-2018-10902 (Trusty, Trusty HWE)
- CVE-2017-2647 (Trusty, Trusty HWE)
- Info leak in CDROM driver, XFS DoS via writing of extended attributes causing an error condition that leaves the fs in an error state until next mount
- Bounds check bypass in BPF verifier (mentioned in Episode 15)
- Incorrect bounds checking in Yurex USB driver (Episode 7)
- UAF in infiniband -> Crash -> DoS
- Integer overflow in POSIX timers overrun accounting due to type confusion (int vs 64-bit signed)
- Double free in AMD GPIO pinctrl driver - DoS / privilege escalation
- Race condition in midi driver - double free -> privilege escalation
- NULL pointer dereference in kernel keyring -> crash -> DoS
[LSN-0046-1] Linux kernel livepatch for vulnerabilities
[USN-3850-1] NSS vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Cache side-channel variant of Bleichenbacher attack (http://cat.eyalro.net/)
- Responds to SSLv2 ClientHello with a ServerHello with all zero random
- Cache side-channel attack on ECDSA signatures (Trusty only)
[USN-3851-1] Django vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Attacker could craft a malicious URL to make spoofed content appear on the generated 404 page
[USN-3852-1] Exiv2 vulnerabilities
- 9 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Infinite recursion leading to stack exhaustion -> crash -> DoS
- Multiple heap based buffer out-of-bounds reads -> crash -> DoS
- Multiple invalid pointer dereferences -> crash -> DoS
- Invalid assertion, NULL pointer dereference -> crash -> DoS
[USN-3853-1] GnuPG vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- GnuPG includes support for Web Key Directories (WKD) to allow easy discovery of public keys via HTTPS
- Allows a key to be imported from a webserver -> first need to lookup hostname via DNS SRV
- Fails to sanitize response - so performs an attacker controlled, arbitrary HTTPS GET request
- Attacker needs to construct a malicious SRV record for the domain in question
- Possible CSRF, content injection etc
- Thunderbird will automatically use WKD via GnuPG to lookup missing keys so allows easy exploitation
[USN-3854-1] WebKitGTK+ vulnerabilities
- 1 CVEs addressed in Bionic, Cosmic
- Possible RCE via invalid processing of crafted web content (as usual limited details on WebKitGTK vulnerabilities…)
[USN-3855-1] systemd vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic
- “System Down” systemd vulnerabilities
- Chris Coulson put in a heroic effort and patched quickly - Ubuntu first affected distro to release patched systemd
- Due to use of variable length arrays on the stack, allows various fields which are attacker controlled to be overflowed
- If overflow far enough can bypass kernel stack guard pages, and hence corrupt the heap
- Possible code execution as a result (original advisory contained a PoC for i386 which gained control of the instruction pointer)
- Can be mitigated via use of the gcc flag -fstack-clash-protection - this is now under review to be used by default in forthcoming Ubuntu releases
[USN-3856-1] GNOME Bluetooth vulnerability
- 1 CVEs addressed in Bionic
- BlueZ doesn’t necessarily make bluetooth device undiscoverable automatically after timeout
- Hence after enabling discovery would then still be discoverable even though user expectation is that is not anymore
- Actual bug then is really in BlueZ but now added a workaround in GNOME bluetooth to manually disable discovery
[USN-3857-1] PEAR vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- PHP Extension and Application Repository - possible RCE when deserialising via PHP object injection
- Triggered when unpacking a PHAR (PHP ARchive) - also possible to sneak one into a JPEG so easy to exploit - just need image upload (Wordpress etc)
[USN-3858-1] HAProxy vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic
- Popular load balancing reverse proxy (used in OpenStack etc.)
- Infinite recursion from a pointer referencing itself or from long chains of pointers -> stack exhaustion -> crash -> DoS
- Out-of-bounds read when validating DNS responses - information disclosure of 16 bytes
- Fail to ensure valid length of H2 HEADERS when decoding - out-of-bounds read -> crash -> DoS
[USN-3859-1] libarchive vulnerabilities
- 4 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Out-of-bounds read for UTF-16 names in RAR archives
- UAF and double free in RAR decoder - crash -> DoS, possible RCE
- Quasi-infinite runtime and disk usage from a tiny crafted WARC file (Web Archive format for storing results of crawling websites)
[USN-3860-1, USN-3860-2] libcaca vulnerabilities
- 7 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Library and utils for handling colour ASCII art (used by various media players to show videos in a terminal etc)
- Various issues - OOB reads, writes and a floating point exception -> crash -> DoS
[USN-3861-1, USN-3861-2] PolicyKit vulnerability
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Invalid handling of UID > INT_MAX - would allow a user to bypass policy and execute any systemctl command
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- UAF when expiring hidden lines from the scroll buffer
Goings on in Ubuntu and Linux Security Community
New page cache side-channel attack via mincore()
- Discovered by a team of researchers including some of those who found Spectre / Meltdown
- Uses mincore() system call on Linux to determine if pages exist in the page cache or not
- mincore() returns a bitmask of which pages are mapped in the cache for the requested range
- Can use this side-channel to either:
- determine when a process calls a given function in a shared library (since the library will be mapped at the same address in both the attack and victim process)
- need to first evict the given page from the cache which is difficult but authors propose a new efficient mechanism to do this
- can then do things like UI redressing etc in response
- Or can use this is a covert channel to leak information from one process to another
- Can even use over the network to leak information via an innocent webserver etc
- Paper also describes an efficient cache eviction strategy
- Linus directly applied a fix (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e)
- This changes the behaviour of mincore() to only report pages which have been faulted into the cache by the calling process
- So at best can now observe when a page is evicted from the cache but can’t see when another process faults in a page
- Breaks user-space API of mincore() and hence some existing programs (as noted in the commit)
- Linus’ primary rule is to never break userspace BUT in this case as is a security vulnerability this is okay
- This might also likely affect other programs that use mincore in Ubuntu etc (fincore, e4defrag, qemu etc)
- Fix is not in the stable upstream kernel yet as waiting to see what fallout there is and so also has not been applied to Ubuntu kernels yet
- Also good discussion on LWN https://lwn.net/Articles/776801/ which highlights other avenues for inferring the contents of the page cache and other possible changes to mincore to protect against this attack
- Will be interesting to see where this all ends up